Bob Weinschenk is on a mission to change (for the better) the industry’s
focus on security, one little piece of hardware at a time. Make that one
more Secure Sockets Layer (SSL) Network Interface Card at a time. And a
piece of silicon at a time and fewer CPUs
Britestream’s bright idea: security-on-a-chip products in order to
offload the heavy lifting of current secure transaction protocol, SSL
the transaction data in real time in the network stream.
Chip-based and ASIC-based security system providers, such as Britestream,
look at data breaches, hacks, phishing outbreaks and other spots on the
Internet experience and instead see bright opportunities to change the
industry’s approach to security. Weinschenk recently chatted with
internetnews.com about why he thinks offloading SSL’s time has
Q: How would you frame the current landscape in terms of security threats
facing businesses and consumers?
Internet security breaches occur daily and the frequency and rate at
which these breaches are occurring is rising and will continue to increase
as broadband Internet adoption, e-commerce and communication via the
Internet (i.e. e-mail, VoIP) continue to grow. No individual computer user
or business is entirely protected from Internet security breaches.
Deploying security that works is an enormous headache for IT
organizations. Most solutions are costly and theyre difficult to install
and maintain. In addition, because they require so much capacity, software
solutions also tend to place an extra burden on CPUs, resulting in a
Q: You see more encryption coming to address these issues. Can you
talk about why?
Different factions in the marketplace are competing. First, there is a
need to protect information (for compliance and regulatory reasons, as well
as business continuity and consumer privacy reasons) and then there is a
growing need to share information (with supply chain partners, for EDI and
outsourcing, and on mobile devices). Both trends are valid and require that
information be secure.
But encrypting data has been expensive because of the
way it’s been done. Now it is truly possible to create more secure
environments at a reasonable cost using a hardware-based SSL solution like
Q: So what’s the problem with SSL?
For starters, it’s slow. Applications can experience a slowdown of 10 to
100-fold. Because of that secure “handshake” that’s necessary to ensure a
secure transaction, such as when you’re buying online, only so much data can
be passed back and forth as part of the security layer. So it’s rationed.
Now, when you have increasing volume of SSL-encrypted traffic going through
a network, this presents major challenges for architects and engineers.
Performance slows, and it’s running over equipment that, frankly, wasn’t
designed to handle encrypted information.
On the other hand, co-processors are evolutionary ways of implementing
SSL, because they make it faster than software alone. However, they can be
very hard to integrate, and then you have to deal with private key
information being stored on software that may be vulnerable. Plus, they can
consume valuable CPU cycles.
Q: Hence the term “SSL offloading”?
While SSL is mission critical, it often results in penalty performances
for servers and computers. With most software-based solutions, systems will
see the available percentage of CPUs drop as the number of SSL transactions
increases. These performance problems will only increase as the number of
Web-based transactions increase. By offloading SSL, we can take all of the
processing off the CPU, so that there is not a drop in performance.
Q: Do you want to go with a lockbox-type approach to securing
transactions over the Web?
We think there’s more of the industry trend toward more encryption in the
security layer. It’s just going that way. We often tell customers using a
software-based security system is like hiding the key under the doormat or a
rock in the garden. A hacker will eventually find it — they’ll find a way
to get at it. But with hardware, only you and those you authorize can get at
it. We want to take the CPU out of the equation.
Q: Chips are pricier and harder to integrate or upgrade with other
network systems. You’re more locked in.
By reducing the number of servers needed, you’re lowering your
acquisition costs for both hardware and software. Plus there’s less
ancillary equipment needed, such as load balancers, firewalls and switches.
Our dual instream TCP/IP processing engines eliminate the need for host CPU
cycles. Plus, it’s Plug and play so it’s delivered as an industry
standard PCI NIC, solving the network integration problem. You don’t have to
patch, and it’s operating-system independent.
The bottom line is this:
sensitive information is stored in hardware, which is a hacker-proof,
tamper-proof vault for the entire enterprise. Plus, the existing application
base is even more demanding of SSL security. When we do the SSL offload, you
can’t even tell, but we’ve definitely reversed the bottleneck.
The trend is clear anyway, IDC has published studies that show more IT
professionals are interested in buying hardware-based security for their
networks rather than software, the first time it has eclipsed software in
Q: So, we’re heading to a more blended approach with security?
We’re driving towards more encryption, with cards that look like what
you’d see on an Intel chip. [We sit behind the market leaders]. We’re in a
world where we have to manage a thousand PINS. But today, the SSL capability
is kept inside the chip. We take a sluggish system laboring
with SSL encryption and the slow data transfer and make it the equivalent
of five or six Itanium servers.
Security is like graphics. You have more
compute levels. More complication algorithms, it’s a larger key size. Our
goal is to not have to ration security.